Summarizing GDPR

Summarizing GDPR

You may well have heard about GDPR (General Data Protection Regulations) but do you know what it means for you?  The detailed information is found on the ICO website, but let’s summarize it for you

Does GDPR apply to me?

That broadly depends on the question “Do you hold or process ‘personal’ or ‘sensitive’ information on EU citizens?”  Personal data is anything that can identify an individual, this could even be IP address information, or a pseudonym that can be derived back to an individual.

Ok so GDPR applies to my company but what do I have to do?  GDPR enshrines Individuals’ rights in law.  These are

  1. The right to be informed: You need to be able to show the type data you’re collecting, who has access to the data, among other information within 30 days of the request, free of charge
  2. The right of access: You need to be able to provide a copy of the data collected for an individual within 30 days of the request, free of charge
  3. The right to rectification: You need to allow the user to submit corrections to their data and action them within 30 days, free of charge
  4. The right to erasure: You need to delete the user’s data on request, barring a few specific exceptions, free of charge
  5. The right to restrict processing: You need to allow the user to tell you to stop processing the data, free of charge
  6. The right to data portability: You need to be able to provide the user’s data in a structured, commonly used and machine readable format (e.g. csv format), free of charge
  7. The right to object: You need to allow the user to object to the data being processed or used (including profiling), free of charge
  8. Rights in relation to automated decision making and profiling: You need to allow a user to object to an automated decision and request human intervention.  There are some exceptions to this including contracting, authorised by law, explicit consent.

In the event that the data is breached then you have an obligation to determine if the breach is likely to or highly likely to be damaging to the individuals whose data has been breached, and notify the supervisory authority or the users (in case high likelihood of damage) within 72 hours.

When does GDPR come into force?

25th May 2018

What are the maximum fines for failure to comply?

20 million Euro or 4% of annual global turnover, whichever is the greater

How can you prepare?

Data breaches are by far the most worrying.  Microsoft offer a great set of tools to increase security of your environment, thereby reducing the risk of breaches and allowing early detection.  These include:

  • Office 365
    • Email
    • Instant Messaging
    • File Storage
    • File Sharing
    • Team Collaboration
    • and much more
  • Enterprise Mobility and Security
    • Conditional Access
    • Advanced Threat Protection
    • Azure Information Protection
    • Multifactor Authentication
  • Windows 10 Enterprise
    • Advanced Threat Protection

Microsoft are releasing a new product called Microsoft 365 which happens to combine the above into a single SKU in Microsoft Cloud, allowing you to take a big step towards a better protected environment.

Please contact us on info@neroblanco.co.uk for more information